Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

3 matches found

Github Security Blog
Github Security Blogadded 2024/06/18 8:29 p.m.28 views

PocketBase performs password auth and OAuth2 unverified email linking

In order to be exploited you must have both OAuth2 and Password auth methods enabled. A possible attack scenario could be: - a malicious actor register with the targeted user's email it is unverified - at some later point in time the targeted user stumble on your app and decides to sign-up with...

5.4CVSS5.1AI score0.00289EPSS
Exploits0References5Affected Software1
Vulnrichment
Vulnrichmentadded 2024/06/18 5:0 p.m.16 views

CVE-2024-38351 Password auth and OAuth2 unverified email linking

Pocketbase is an open source web backend written in go. In affected versions a malicious user may be able to compromise other user accounts. In order to be exploited users must have both OAuth2 and Password auth methods enabled. A possible attack scenario could be: 1. a malicious actor register...

5.4CVSS6.6AI score0.00289EPSS
Exploits0References2
CVE
CVEadded 2024/06/18 5:0 p.m.62 views

CVE-2024-38351

Summary: PocketBase shows a vulnerability where, if both Password and OAuth2 authentication are enabled, a malicious actor could link an unverified email via OAuth2 to an existing user and gain access to that user’s account without changing the password. The attack flow described involves registe...

5.4CVSS5.2AI score0.00289EPSS
Exploits0References2
Rows per page
Query Builder